Merge remote-tracking branch 'origin/PolkitApplier_addition'

gpoa/frontend/appliers/netshare.py

@@ -0,0 +1,78 @@
+#
+# GPOA - GPO Applier for Linux
+#
+# Copyright (C) 2019-2022 BaseALT Ltd.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import subprocess
+
+from gpt.folders import (
+      FileAction
+    , action_letter2enum
+)
+from util.logging import log
+from util.windows import expand_windows_var
+
+
+
+class Networkshare:
+
+    def __init__(self, networkshare_obj):
+        self.net_full_cmd = ['/usr/bin/net', 'usershare']
+        self.cmd = list()
+        self.name = networkshare_obj.name
+        self.path = expand_windows_var(networkshare_obj.path).replace('\\', '/') if networkshare_obj.path else None
+        self.action = action_letter2enum(networkshare_obj.action)
+        self.allRegular =  networkshare_obj.allRegular
+        self.comment = networkshare_obj.comment
+        self.limitUsers = networkshare_obj.limitUsers
+        self.abe = networkshare_obj.abe
+        self._guest = 'guest_ok=y'
+        self.acl = 'Everyone:'
+        self.act()
+
+    def _run_net_full_cmd(self):
+        try:
+            subprocess.call(self.net_full_cmd, stderr=subprocess.DEVNULL)
+        except Exception as exc:
+            logdata = dict()
+            logdata['cmd'] = self.net_full_cmd
+            logdata['exc'] = exc
+            log('D182', logdata)
+
+
+    def _create_action(self):
+        self.net_full_cmd.append('add')
+        self.net_full_cmd.append(self.name)
+        self.net_full_cmd.append(self.path)
+        self.net_full_cmd.append(self.comment)
+        self.net_full_cmd.append(self.acl + 'F' if self.abe == 'ENABLE' else self.acl + 'R')
+        self.net_full_cmd.append(self._guest)
+        self._run_net_full_cmd()
+
+    def _delete_action(self):
+        self.net_full_cmd.append('delete')
+        self.net_full_cmd.append(self.name)
+        self._run_net_full_cmd()
+
+    def act(self):
+        if self.action == FileAction.CREATE:
+            self._create_action()
+        if self.action == FileAction.UPDATE:
+            self._create_action()
+        if self.action == FileAction.DELETE:
+            self._delete_action()
+        if self.action == FileAction.REPLACE:
+            self._create_action()

gpoa/frontend/appliers/polkit.py

@@ -18,9 +18,8 @@
 
 import os
 import jinja2
-import logging
 
-from util.logging import slogm, log
+from util.logging import log
 
 class polkit:
     __template_path = '/usr/share/gpupdate/templates'
@@ -38,7 +37,19 @@ class polkit:
         else:
             self.outfile = os.path.join(self.__policy_dir, '{}.rules'.format(self.template_name))
 
+    def _is_empty(self):
+        for key, item in self.args.items():
+            if key == 'User':
+                continue
+            elif item:
+                return False
+        return True
+
     def generate(self):
+        if self._is_empty():
+            if os.path.isfile(self.outfile):
+                os.remove(self.outfile)
+            return
         try:
             template = self.__template_environment.get_template(self.infilename)
             text = template.render(**self.args)

gpoa/frontend/frontend_manager.py

@@ -68,6 +68,9 @@ from .ini_applier import (
     , ini_applier_user
 )
 
+from .networkshare_applier import networkshare_applier
+from .yandex_browser_applier import yandex_browser_applier
+
 from util.sid import get_sid
 from util.users import (
     is_root,
@@ -140,6 +143,7 @@ class frontend_manager:
         self.machine_appliers['systemd'] = systemd_applier(self.storage)
         self.machine_appliers['firefox'] = firefox_applier(self.storage, self.sid, self.username)
         self.machine_appliers['chromium'] = chromium_applier(self.storage, self.sid, self.username)
+        self.machine_appliers['yandex_browser'] = yandex_browser_applier(self.storage, self.sid, self.username)
         self.machine_appliers['shortcuts'] = shortcut_applier(self.storage)
         self.machine_appliers['gsettings'] = gsettings_applier(self.storage, self.file_cache)
         try:
@@ -155,6 +159,7 @@ class frontend_manager:
         self.machine_appliers['package'] = package_applier(self.storage)
         self.machine_appliers['ntp'] = ntp_applier(self.storage)
         self.machine_appliers['envvar'] = envvar_applier(self.storage, self.sid)
+        self.machine_appliers['networkshare'] = networkshare_applier(self.storage, self.sid)
         self.machine_appliers['scripts'] = scripts_applier(self.storage, self.sid)
         self.machine_appliers['files'] = file_applier(self.storage, self.file_cache, self.sid)
         self.machine_appliers['ini'] = ini_applier(self.storage, self.sid)

gpoa/frontend/networkshare_applier.py

@@ -0,0 +1,46 @@
+#
+# GPOA - GPO Applier for Linux
+#
+# Copyright (C) 2019-2022 BaseALT Ltd.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from .appliers.netshare import Networkshare
+from .applier_frontend import (
+      applier_frontend
+    , check_enabled
+)
+from util.logging import log
+
+class networkshare_applier(applier_frontend):
+    __module_name = 'NetworksharesApplier'
+    __module_experimental = True
+    __module_enabled = False
+
+    def __init__(self, storage, sid):
+        self.storage = storage
+        self.sid = sid
+        self.networkshare_info = self.storage.get_networkshare(self.sid)
+        self.__module_enabled = check_enabled(self.storage, self.__module_name, self.__module_experimental)
+
+    def run(self):
+        for networkshar in self.networkshare_info:
+            Networkshare(networkshar)
+
+    def apply(self):
+        if self.__module_enabled:
+            log('D187')
+            self.run()
+        else:
+            log('D181')

gpoa/frontend/polkit_applier.py

@@ -19,36 +19,74 @@
 from .applier_frontend import (
       applier_frontend
     , check_enabled
+    , check_windows_mapping_enabled
 )
 from .appliers.polkit import polkit
-from util.logging import slogm, log
-
-import logging
+from util.logging import log
 
 class polkit_applier(applier_frontend):
     __module_name = 'PolkitApplier'
     __module_experimental = False
     __module_enabled = True
-    __deny_all = 'Software\\Policies\\Microsoft\\Windows\\RemovableStorageDevices\\Deny_All'
+    __deny_all_win = 'Software\\Policies\\Microsoft\\Windows\\RemovableStorageDevices\\Deny_All'
+    __registry_branch = 'Software\\BaseALT\\Policies\\Polkit\\'
+    __registry_locks_branch = 'Software\\BaseALT\\Policies\\PolkitLocks\\'
     __polkit_map = {
-        __deny_all: ['49-gpoa_disk_permissions', { 'Deny_All': 0 }]
+        __deny_all_win: ['49-gpoa_disk_permissions', { 'Deny_All': 0 }],
+        __registry_branch : ['49-group_policy_permissions', {}],
+        __registry_locks_branch : ['47-group_policy_permissions', {}]
     }
 
     def __init__(self, storage):
         self.storage = storage
-        deny_all = storage.filter_hklm_entries(self.__deny_all).first()
+        deny_all_win = None
+        if check_windows_mapping_enabled(self.storage):
+            deny_all_win = storage.filter_hklm_entries(self.__deny_all_win).first()
         # Deny_All hook: initialize defaults
-        template_file = self.__polkit_map[self.__deny_all][0]
-        template_vars = self.__polkit_map[self.__deny_all][1]
-        if deny_all:
+        polkit_filter = '{}%'.format(self.__registry_branch)
+        polkit_locks_filter = '{}%'.format(self.__registry_locks_branch)
+        self.polkit_keys = self.storage.filter_hklm_entries(polkit_filter)
+        self.polkit_locks = self.storage.filter_hklm_entries(polkit_locks_filter)
+        template_file = self.__polkit_map[self.__deny_all_win][0]
+        template_vars = self.__polkit_map[self.__deny_all_win][1]
+        template_file_all = self.__polkit_map[self.__registry_branch][0]
+        template_vars_all = self.__polkit_map[self.__registry_branch][1]
+        template_file_all_lock = self.__polkit_map[self.__registry_locks_branch][0]
+        template_vars_all_lock = self.__polkit_map[self.__registry_locks_branch][1]
+        locks = list()
+        for lock in self.polkit_locks:
+            if bool(int(lock.data)):
+                locks.append(lock.valuename)
+
+        dict_lists_rules = {'No': [[], []],
+                            'Yes': [[], []],
+                            'Auth_self' : [[], []],
+                            'Auth_admin': [[], []],
+                            'Auth_self_keep': [[], []],
+                            'Auth_admin_keep': [[], []]}
+
+        check_and_add_to_list = (lambda it, act: dict_lists_rules[act][0].append(it.valuename)
+                                if it.valuename not in locks
+                                else dict_lists_rules[act][1].append(it.valuename))
+
+        for it_data in self.polkit_keys:
+            check_and_add_to_list(it_data, it_data.data)
+
+        for key, item in dict_lists_rules.items():
+            self.__polkit_map[self.__registry_branch][1][key] = item[0]
+            self.__polkit_map[self.__registry_locks_branch][1][key] = item[1]
+
+        if deny_all_win:
             logdata = dict()
-            logdata['Deny_All'] = deny_all.data
+            logdata['Deny_All_win'] = deny_all_win.data
             log('D69', logdata)
-            self.__polkit_map[self.__deny_all][1]['Deny_All'] = deny_all.data
+            self.__polkit_map[self.__deny_all_win][1]['Deny_All'] = deny_all_win.data
         else:
             log('D71')
         self.policies = []
         self.policies.append(polkit(template_file, template_vars))
+        self.policies.append(polkit(template_file_all, template_vars_all))
+        self.policies.append(polkit(template_file_all_lock, template_vars_all_lock))
         self.__module_enabled = check_enabled(
               self.storage
             , self.__module_name
@@ -70,31 +108,55 @@ class polkit_applier_user(applier_frontend):
     __module_name = 'PolkitApplierUser'
     __module_experimental = False
     __module_enabled = True
-    __deny_all = 'Software\\Policies\\Microsoft\\Windows\\RemovableStorageDevices\\Deny_All'
+    __deny_all_win = 'Software\\Policies\\Microsoft\\Windows\\RemovableStorageDevices\\Deny_All'
+    __registry_branch = 'Software\\BaseALT\\Policies\\Polkit\\'
     __polkit_map = {
-            __deny_all: ['48-gpoa_disk_permissions_user', { 'Deny_All': 0, 'User': '' }]
+            __deny_all_win: ['48-gpoa_disk_permissions_user', { 'Deny_All': 0, 'User': '' }],
+            __registry_branch : ['48-group_policy_permissions_user', {'User': ''}]
     }
 
     def __init__(self, storage, sid, username):
         self.storage = storage
         self.sid = sid
         self.username = username
-
-        deny_all = storage.filter_hkcu_entries(self.sid, self.__deny_all).first()
+        deny_all_win = None
+        if check_windows_mapping_enabled(self.storage):
+            deny_all_win = storage.filter_hkcu_entries(self.sid, self.__deny_all_win).first()
+        polkit_filter = '{}%'.format(self.__registry_branch)
+        self.polkit_keys = self.storage.filter_hkcu_entries(self.sid, polkit_filter)
         # Deny_All hook: initialize defaults
-        template_file = self.__polkit_map[self.__deny_all][0]
-        template_vars = self.__polkit_map[self.__deny_all][1]
-        if deny_all:
+        template_file = self.__polkit_map[self.__deny_all_win][0]
+        template_vars = self.__polkit_map[self.__deny_all_win][1]
+        template_file_all = self.__polkit_map[self.__registry_branch][0]
+        template_vars_all = self.__polkit_map[self.__registry_branch][1]
+
+        dict_lists_rules = {'No': [],
+                            'Yes': [],
+                            'Auth_self': [],
+                            'Auth_admin': [],
+                            'Auth_self_keep': [],
+                            'Auth_admin_keep': []}
+
+        for it_data in self.polkit_keys:
+            dict_lists_rules[it_data.data].append(it_data.valuename)
+
+        self.__polkit_map[self.__registry_branch][1]['User'] = self.username
+
+        for key, item in dict_lists_rules.items():
+            self.__polkit_map[self.__registry_branch][1][key] = item
+
+        if deny_all_win:
             logdata = dict()
             logdata['user'] = self.username
-            logdata['Deny_All'] = deny_all.data
+            logdata['Deny_All_win'] = deny_all_win.data
             log('D70', logdata)
-            self.__polkit_map[self.__deny_all][1]['Deny_All'] = deny_all.data
-            self.__polkit_map[self.__deny_all][1]['User'] = self.username
+            self.__polkit_map[self.__deny_all_win][1]['Deny_All'] = deny_all_win.data
+            self.__polkit_map[self.__deny_all_win][1]['User'] = self.username
         else:
             log('D72')
         self.policies = []
         self.policies.append(polkit(template_file, template_vars, self.username))
+        self.policies.append(polkit(template_file_all, template_vars_all, self.username))
         self.__module_enabled = check_enabled(
               self.storage
             , self.__module_name

gpoa/frontend/yandex_browser_applier.py

@@ -0,0 +1,169 @@
+#
+# GPOA - GPO Applier for Linux
+#
+# Copyright (C) 2019-2022 BaseALT Ltd.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from .applier_frontend import (
+      applier_frontend
+    , check_enabled
+)
+
+import json
+import os
+from util.logging import log
+from util.util import is_machine_name
+
+class yandex_browser_applier(applier_frontend):
+    __module_name = 'YandexBrowserApplier'
+    __module_enabled = True
+    __module_experimental = False
+    __registry_branch = 'Software\\Policies\\YandexBrowser'
+    __managed_policies_path = '/etc/opt/yandex/browser/policies/managed'
+    __recommended_policies_path = '/etc/opt/yandex/browser/policies/recommended'
+
+    def __init__(self, storage, sid, username):
+        self.storage = storage
+        self.sid = sid
+        self.username = username
+        self._is_machine_name = is_machine_name(self.username)
+        yandex_filter = '{}%'.format(self.__registry_branch)
+        self.yandex_keys = self.storage.filter_hklm_entries(yandex_filter)
+
+        self.policies_json = dict()
+
+        self.__module_enabled = check_enabled(
+              self.storage
+            , self.__module_name
+            , self.__module_experimental
+        )
+
+    def machine_apply(self):
+        '''
+        Apply machine settings.
+        '''
+
+        destfile = os.path.join(self.__managed_policies_path, 'policies.json')
+
+        try:
+            recommended__json = self.policies_json.pop('Recommended')
+        except:
+            recommended__json = {}
+
+        #Replacing all nested dictionaries with a list
+        dict_item_to_list = (
+            lambda target_dict :
+                {key:[*val.values()] if type(val) == dict else val for key,val in target_dict.items()}
+            )
+        os.makedirs(self.__managed_policies_path, exist_ok=True)
+        with open(destfile, 'w') as f:
+            json.dump(dict_item_to_list(self.policies_json), f)
+            logdata = dict()
+            logdata['destfile'] = destfile
+            log('D185', logdata)
+
+        destfilerec = os.path.join(self.__recommended_policies_path, 'policies.json')
+        os.makedirs(self.__recommended_policies_path, exist_ok=True)
+        with open(destfilerec, 'w') as f:
+            json.dump(dict_item_to_list(recommended__json), f)
+            logdata = dict()
+            logdata['destfilerec'] = destfilerec
+            log('D185', logdata)
+
+
+    def apply(self):
+        '''
+        All actual job done here.
+        '''
+        if self.__module_enabled:
+            log('D183')
+            self.create_dict(self.yandex_keys)
+            self.machine_apply()
+        else:
+            log('D184')
+
+    def get_valuename_typeint(self):
+        '''
+        List of keys resulting from parsing chrome.admx with parsing_chrom_admx_intvalues.py
+        '''
+        valuename_typeint = (['TurboSettings',
+                            'DefaultPluginsSetting',
+                            'BrowserSignin',
+                            'DefaultCookiesSetting',
+                            'DefaultGeolocationSetting',
+                            'DefaultPopupsSetting',
+                            'DeveloperToolsAvailability',
+                            'IncognitoModeAvailability',
+                            'PasswordProtectionWarningTrigger',
+                            'SafeBrowsingProtectionLevel',
+                            'SafeBrowsingProtectionLevel_recommended',
+                            'SidePanelMode',
+                            'YandexAutoLaunchMode'])
+        return valuename_typeint
+
+
+    def get_boolean(self,data):
+        if data in ['0', 'false', None, 'none', 0]:
+            return False
+        if data in ['1', 'true', 1]:
+            return True
+    def get_parts(self, hivekeyname):
+        '''
+        Parse registry path string and leave key parameters
+        '''
+        parts = hivekeyname.replace(self.__registry_branch, '').split('\\')
+        return parts
+
+
+    def create_dict(self, yandex_keys):
+        '''
+        Collect dictionaries from registry keys into a general dictionary
+        '''
+        counts = dict()
+        #getting the list of keys to read as an integer
+        valuename_typeint = self.get_valuename_typeint()
+        for it_data in yandex_keys:
+            branch = counts
+            try:
+                if type(it_data.data) is bytes:
+                    it_data.data = it_data.data.decode(encoding='utf-16').replace('\x00','')
+                parts = self.get_parts(it_data.hive_key)
+                #creating a nested dictionary from elements
+                for part in parts[:-1]:
+                    branch = branch.setdefault(part, {})
+                #dictionary key value initialization
+                if it_data.type == 4:
+                    if it_data.valuename in valuename_typeint:
+                        branch[parts[-1]] = int(it_data.data)
+                    else:
+                        branch[parts[-1]] = self.get_boolean(it_data.data)
+                else:
+                    if it_data.data[0] == '[' and it_data.data[-1] == ']':
+                        try:
+                            branch[parts[-1]] = json.loads(str(it_data.data))
+                        except:
+                            branch[parts[-1]] = str(it_data.data).replace('\\', '/')
+                    else:
+                        branch[parts[-1]] = str(it_data.data).replace('\\', '/')
+
+            except Exception as exc:
+                logdata = dict()
+                logdata['Exception'] = exc
+                logdata['keyname'] = it_data.keyname
+                log('D178', logdata)
+        try:
+            self.policies_json = counts['']
+        except:
+            self.policies_json = {}

gpoa/gpt/gpt.py

@@ -68,6 +68,10 @@ from .scriptsini import (
       read_scripts
     , merge_scripts
 )
+from .networkshares import (
+      read_networkshares
+    , merge_networkshares
+)
 import util
 import util.preg
 from util.paths import (
@@ -91,6 +95,7 @@ class FileType(Enum):
     SERVICES = 'services.xml'
     PRINTERS = 'printers.xml'
     SCRIPTS = 'scripts.ini'
+    NETWORKSHARES = 'networkshares.xml'
 
 def get_preftype(path_to_file):
     fpath = Path(path_to_file)
@@ -117,6 +122,7 @@ def pref_parsers():
     parsers[FileType.SERVICES] = read_services
     parsers[FileType.PRINTERS] = read_printers
     parsers[FileType.SCRIPTS] = read_scripts
+    parsers[FileType.NETWORKSHARES] = read_networkshares
 
     return parsers
 
@@ -138,6 +144,7 @@ def pref_mergers():
     mergers[FileType.SERVICES] = merge_services
     mergers[FileType.PRINTERS] = merge_printers
     mergers[FileType.SCRIPTS] = merge_scripts
+    mergers[FileType.NETWORKSHARES] = merge_networkshares
 
     return mergers
 
@@ -171,6 +178,7 @@ class gpt:
             , 'services'
             , 'scheduledtasks'
             , 'scripts'
+            , 'networkshares'
         ]
         self.settings = dict()
         self.settings['machine'] = dict()

gpoa/gpt/networkshares.py

@@ -0,0 +1,56 @@
+#
+# GPOA - GPO Applier for Linux
+#
+# Copyright (C) 2019-2022 BaseALT Ltd.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from util.xml import get_xml_root
+
+def read_networkshares(networksharesxml):
+    networkshares = list()
+
+    for share in get_xml_root(networksharesxml):
+        props = share.find('Properties')
+        networkshare_obj = networkshare(props.get('name'))
+        networkshare_obj.set_action(props.get('action', default='C'))
+        networkshare_obj.set_path(props.get('path', default=None))
+        networkshare_obj.set_all_regular(props.get('allRegular', default=None))
+        networkshare_obj.set_comment(props.get('comment', default=None))
+        networkshare_obj.set_limitUsers(props.get('limitUsers', default=None))
+        networkshare_obj.set_abe(props.get('abe', default=None))
+        networkshares.append(networkshare_obj)
+
+    return networkshares
+
+def merge_networkshares(storage, sid, networkshares_objects, policy_name):
+    for networkshareobj in networkshares_objects:
+        storage.add_networkshare(sid, networkshareobj, policy_name)
+
+class networkshare:
+    def __init__(self, name):
+        self.name = name
+
+    def set_action(self, action):
+        self.action = action
+    def set_path(self, path):
+        self.path = path
+    def set_all_regular(self, allRegular):
+        self.allRegular = allRegular
+    def set_comment(self, comment):
+        self.comment = comment
+    def set_limitUsers(self, limitUsers):
+        self.limitUsers = limitUsers
+    def set_abe(self, abe):
+        self.abe = abe

gpoa/locale/ru_RU/LC_MESSAGES/gpoa.po

@@ -709,25 +709,25 @@ msgid "Running File copy applier for machine"
 msgstr "Запуск применение настроек копирования файлов для машины"
 
 msgid "Running File copy applier for machine will not be started"
-msgstr "Запуск применение настроек копирования файлов для машины не будет запущено"
+msgstr "Применение настроек копирования файлов для машины не будет запущено"
 
 msgid "Running File copy applier for user in administrator context"
 msgstr "Запуск применение настроек копирования файлов для пользователя в контексте администратора"
 
 msgid "Running File copy applier for user in administrator context will not be started"
-msgstr "Запуск применение настроек копирования файлов для пользователя в контексте администратора не будет запущено"
+msgstr "Применение настроек копирования файлов для пользователя в контексте администратора не будет запущено"
 
 msgid "Running ini applier for machine"
 msgstr "Запуск применение настроек ini файлов для машины"
 
 msgid "Running ini applier for machine will not be started"
-msgstr "Запуск применение настроек ini файлов для машины не будет запущено"
+msgstr "Применение настроек ini файлов для машины не будет запущено"
 
 msgid "Running ini applier for user in administrator context"
 msgstr "Запуск применение настроек ini файлов для пользователя в контексте администратора"
 
 msgid "Running ini applier for user in administrator context will not be started"
-msgstr "Запуск применение настроек ini файлов для пользователя в контексте администратора не будет запущено"
+msgstr "Применение настроек ini файлов для пользователя в контексте администратора не будет запущено"
 
 msgid "Ini-file path not recognized"
 msgstr "Путь к ini-файлу не распознан"
@@ -747,6 +747,27 @@ msgstr "Запуск применение настроек CIFS для маши
 msgid "CIFS applier for machine will not be started"
 msgstr "Применение настроек CIFS для машины не будет запущено"
 
+msgid "Saving information about network shares"
+msgstr "Сохранение информации о сетевых ресурсах"
+
+msgid "Running networkshare applier for machine"
+msgstr "Запуск применение настроек сетевых каталогов для машины"
+
+msgid "Running networkshare applier for machine will not be starte"
+msgstr "Применение настроек сетевых каталогов для машины не будет запущено"
+
+msgid "Apply network share data action failed"
+msgstr "Не удалось применить действие с данными общего сетевого ресурса"
+
+msgid "Running yandex_browser_applier for machine"
+msgstr "Запуск yandex_browser_applier для машины"
+
+msgid "Yandex_browser_applier for machine will not be started"
+msgstr "Yandex_browser_applier для машины не запустится"
+
+msgid "Wrote YandexBrowser preferences to"
+msgstr "Запись настройки Яндекс Браузера в"
+
 # Debug_end
 
 # Warning

gpoa/messages/__init__.py

@@ -285,6 +285,13 @@ def debug_code(code):
     debug_ids[178] = 'Dictionary key generation failed'
     debug_ids[179] = 'Running CIFS applier for machine'
     debug_ids[180] = 'CIFS applier for machine will not be started'
+    debug_ids[181] = 'Running networkshare applier for machine will not be started'
+    debug_ids[182] = 'Apply network share data action failed'
+    debug_ids[183] = 'Running yandex_browser_applier for machine'
+    debug_ids[184] = 'Yandex_browser_applier for machine will not be started'
+    debug_ids[185] = 'Wrote YandexBrowser preferences to'
+    debug_ids[186] = 'Saving information about network shares'
+    debug_ids[187] = 'Running networkshare applier for machine'
 
     return debug_ids.get(code, 'Unknown debug code')
 

gpoa/storage/record_types.py

@@ -271,3 +271,35 @@ class ini_entry(object):
         fields['value'] = self.value
 
         return fields
+
+class networkshare_entry(object):
+    '''
+    Object mapping representing NETWORKSHARES.XML
+    '''
+    def __init__(self, sid, networkshareobj, policy_name):
+        self.sid = sid
+        self.policy_name = policy_name
+        self.name = networkshareobj.name
+        self.action = networkshareobj.action
+        self.path = networkshareobj.path
+        self.allRegular = networkshareobj.allRegular
+        self.comment = networkshareobj.comment
+        self.limitUsers = networkshareobj.limitUsers
+        self.abe = networkshareobj.abe
+
+
+    def update_fields(self):
+        '''
+        Return list of fields to update
+        '''
+        fields = dict()
+        fields['policy_name'] = self.policy_name
+        fields['name'] = self.name
+        fields['action'] = self.action
+        fields['path'] = self.path
+        fields['allRegular'] = self.allRegular
+        fields['comment'] = self.comment
+        fields['limitUsers'] = self.limitUsers
+        fields['abe'] = self.abe
+
+        return fields

gpoa/storage/sqlite_registry.py

@@ -47,6 +47,7 @@ from .record_types import (
     , script_entry
     , file_entry
     , ini_entry
+    , networkshare_entry
 )
 
 class sqlite_registry(registry):
@@ -192,6 +193,21 @@ class sqlite_registry(registry):
             , Column('value', String)
             , UniqueConstraint('sid', 'action', 'path', 'section', 'property', 'value')
         )
+        self.__networkshare = Table(
+              'Networkshare'
+            , self.__metadata
+            , Column('id', Integer, primary_key=True)
+            , Column('sid', String)
+            , Column('policy_name', String)
+            , Column('name', String)
+            , Column('action', String)
+            , Column('path', String)
+            , Column('allRegular', String)
+            , Column('comment', String)
+            , Column('limitUsers', String)
+            , Column('abe', String)
+            , UniqueConstraint('sid', 'name', 'path')
+        )
 
         self.__metadata.create_all(self.db_cnt)
         Session = sessionmaker(bind=self.db_cnt)
@@ -208,6 +224,7 @@ class sqlite_registry(registry):
             mapper(script_entry, self.__scripts)
             mapper(file_entry, self.__files)
             mapper(ini_entry, self.__ini)
+            mapper(networkshare_entry, self.__networkshare)
         except:
             pass
             #logging.error('Error creating mapper')
@@ -464,6 +481,22 @@ class sqlite_registry(registry):
                 .update(inientry.update_fields()))
             self.db_session.commit()
 
+    def add_networkshare(self, sid, networkshareobj, policy_name):
+        networkshareentry = networkshare_entry(sid, networkshareobj, policy_name)
+        logdata = dict()
+        logdata['name'] = networkshareentry.name
+        logdata['path'] = networkshareentry.path
+        logdata['action'] = networkshareentry.action
+        log('D186', logdata)
+        try:
+            self._add(networkshareentry)
+        except Exception as exc:
+            (self
+                ._filter_sid_obj(networkshare_entry, sid)
+                .filter(networkshare_entry.path == networkshareentry.path)
+                .update(networkshareentry.update_fields()))
+            self.db_session.commit()
+
 
     def _filter_sid_obj(self, row_object, sid):
         res = (self
@@ -512,6 +545,9 @@ class sqlite_registry(registry):
     def get_files(self, sid):
         return self._filter_sid_list(file_entry, sid)
 
+    def get_networkshare(self, sid):
+        return self._filter_sid_list(networkshare_entry, sid)
+
     def get_ini(self, sid):
         return self._filter_sid_list(ini_entry, sid)
 
@@ -567,6 +603,7 @@ class sqlite_registry(registry):
         self._wipe_sid(script_entry, sid)
         self._wipe_sid(file_entry, sid)
         self._wipe_sid(ini_entry, sid)
+        self._wipe_sid(networkshare_entry, sid)
 
     def _wipe_sid(self, row_object, sid):
         (self

gpoa/templates/47-group_policy_permissions.rules.j2

@@ -0,0 +1,63 @@
+{#
+ # GPOA - GPO Applier for Linux
+ #
+ # Copyright (C) 2019-2022 BaseALT Ltd.
+ #
+ # This program is free software: you can redistribute it and/or modify
+ # it under the terms of the GNU General Public License as published by
+ # the Free Software Foundation, either version 3 of the License, or
+ # (at your option) any later version.
+ #
+ # This program is distributed in the hope that it will be useful,
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ # GNU General Public License for more details.
+ #
+ # You should have received a copy of the GNU General Public License
+ # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ #}
+
+{% if No|length %}
+polkit.addRule(function (action, subject) {
+    if ({% for res in No -%}
+        action.id == "{{res}}"{% if No|length == loop.index %}){ {% else %} ||{% endif %}
+        {% endfor %}    return polkit.Result.NO;
+    }
+});
+{% endif %}{% if Yes|length %}
+polkit.addRule(function (action, subject) {
+	if ({% for res in Yes -%}
+		action.id == "{{res}}"{% if Yes|length == loop.index %}){ {% else %} ||{% endif %}
+		{% endfor %}    return polkit.Result.YES;
+	}
+});
+{% endif %}{% if Auth_self|length %}
+polkit.addRule(function (action, subject) {
+	if ({% for res in Auth_self -%}
+		action.id == "{{res}}"{% if Auth_self|length == loop.index %}){ {% else %} ||{% endif %}
+		{% endfor %}    return polkit.Result.AUTH_SELF;
+	}
+});
+{% endif %}{% if Auth_admin|length %}
+polkit.addRule(function (action, subject) {
+	if ({% for res in Auth_admin -%}
+		action.id == "{{res}}"{% if Auth_admin|length == loop.index %}){ {% else %} ||{% endif %}
+		{% endfor %}    return polkit.Result.AUTH_ADMIN;
+	}
+});
+{% endif %}{% if Auth_self_keep|length %}
+polkit.addRule(function (action, subject) {
+	if ({% for res in Auth_self_keep -%}
+		action.id == "{{res}}"{% if Auth_self_keep|length == loop.index %}){ {% else %} ||{% endif %}
+		{% endfor %}    return polkit.Result.AUTH_SELF_KEEP;
+	}
+});
+{% endif %}{% if Auth_admin_keep|length %}
+polkit.addRule(function (action, subject) {
+	if ({% for res in Auth_admin_keep -%}
+		action.id == "{{res}}"{% if Auth_admin_keep|length == loop.index %}){ {% else %} ||{% endif %}
+		{% endfor %}    return polkit.Result.AUTH_ADMIN_KEEP;
+    }
+});
+
+{% endif %}

gpoa/templates/48-group_policy_permissions_user.rules.j2

@@ -0,0 +1,63 @@
+{#
+ # GPOA - GPO Applier for Linux
+ #
+ # Copyright (C) 2019-2022 BaseALT Ltd.
+ #
+ # This program is free software: you can redistribute it and/or modify
+ # it under the terms of the GNU General Public License as published by
+ # the Free Software Foundation, either version 3 of the License, or
+ # (at your option) any later version.
+ #
+ # This program is distributed in the hope that it will be useful,
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ # GNU General Public License for more details.
+ #
+ # You should have received a copy of the GNU General Public License
+ # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ #}
+
+{% if No|length %}
+polkit.addRule(function (action, subject) {
+    if ({% for res in No -%}
+        action.id == "{{res}}" {% if No|length == loop.index %}&&{% else %}||{% endif %}
+        {% endfor %}subject.user == "{{User}}") {
+			return polkit.Result.NO;
+    }
+});{% endif %}{% if Yes|length %}
+polkit.addRule(function (action, subject) {
+    if ({% for res in Yes -%}
+        action.id == "{{res}}" {% if Yes|length == loop.index %}&&{% else %}||{% endif %}
+        {% endfor %}subject.user == "{{User}}") {
+			return polkit.Result.YES;
+    }
+});{% endif %}{% if Auth_self|length %}
+polkit.addRule(function (action, subject) {
+    if ({% for res in Auth_self -%}
+        action.id == "{{res}}" {% if Auth_self|length == loop.index %}&&{% else %}||{% endif %}
+        {% endfor %}subject.user == "{{User}}") {
+			return polkit.Result.AUTH_SELF;
+    }
+});{% endif %}{% if Auth_admin|length %}
+polkit.addRule(function (action, subject) {
+    if ({% for res in Auth_admin -%}
+        action.id == "{{res}}" {% if Auth_admin|length == loop.index %}&&{% else %}||{% endif %}
+        {% endfor %}subject.user == "{{User}}") {
+			return polkit.Result.AUTH_ADMIN;
+    }
+});{% endif %}{% if Auth_self_keep|length %}
+polkit.addRule(function (action, subject) {
+    if ({% for res in Auth_self_keep -%}
+        action.id == "{{res}}" {% if Auth_self_keep|length == loop.index %}&&{% else %}||{% endif %}
+        {% endfor %}subject.user == "{{User}}") {
+			return polkit.Result.AUTH_SELF_KEEP;
+    }
+});{% endif %}{% if Auth_admin_keep|length %}
+polkit.addRule(function (action, subject) {
+    if ({% for res in Auth_admin_keep -%}
+        action.id == "{{res}}" {% if Auth_admin_keep|length == loop.index %}&&{% else %}||{% endif %}
+        {% endfor %}subject.user == "{{User}}") {
+			return polkit.Result.AUTH_ADMIN_KEEP;
+    }
+});
+{% endif %}

gpoa/templates/49-group_policy_permissions.rules.j2

@@ -0,0 +1,63 @@
+{#
+ # GPOA - GPO Applier for Linux
+ #
+ # Copyright (C) 2019-2022 BaseALT Ltd.
+ #
+ # This program is free software: you can redistribute it and/or modify
+ # it under the terms of the GNU General Public License as published by
+ # the Free Software Foundation, either version 3 of the License, or
+ # (at your option) any later version.
+ #
+ # This program is distributed in the hope that it will be useful,
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ # GNU General Public License for more details.
+ #
+ # You should have received a copy of the GNU General Public License
+ # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ #}
+
+{% if No|length %}
+polkit.addRule(function (action, subject) {
+    if ({% for res in No -%}
+        action.id == "{{res}}"{% if No|length == loop.index %}){ {% else %} ||{% endif %}
+        {% endfor %}    return polkit.Result.NO;
+    }
+});
+{% endif %}{% if Yes|length %}
+polkit.addRule(function (action, subject) {
+	if ({% for res in Yes -%}
+		action.id == "{{res}}"{% if Yes|length == loop.index %}){ {% else %} ||{% endif %}
+		{% endfor %}    return polkit.Result.YES;
+	}
+});
+{% endif %}{% if Auth_self|length %}
+polkit.addRule(function (action, subject) {
+	if ({% for res in Auth_self -%}
+		action.id == "{{res}}"{% if Auth_self|length == loop.index %}){ {% else %} ||{% endif %}
+		{% endfor %}    return polkit.Result.AUTH_SELF;
+	}
+});
+{% endif %}{% if Auth_admin|length %}
+polkit.addRule(function (action, subject) {
+	if ({% for res in Auth_admin -%}
+		action.id == "{{res}}"{% if Auth_admin|length == loop.index %}){ {% else %} ||{% endif %}
+		{% endfor %}    return polkit.Result.AUTH_ADMIN;
+	}
+});
+{% endif %}{% if Auth_self_keep|length %}
+polkit.addRule(function (action, subject) {
+	if ({% for res in Auth_self_keep -%}
+		action.id == "{{res}}"{% if Auth_self_keep|length == loop.index %}){ {% else %} ||{% endif %}
+		{% endfor %}    return polkit.Result.AUTH_SELF_KEEP;
+	}
+});
+{% endif %}{% if Auth_admin_keep|length %}
+polkit.addRule(function (action, subject) {
+	if ({% for res in Auth_admin_keep -%}
+		action.id == "{{res}}"{% if Auth_admin_keep|length == loop.index %}){ {% else %} ||{% endif %}
+		{% endfor %}    return polkit.Result.AUTH_ADMIN_KEEP;
+    }
+});
+
+{% endif %}